Managers aim to improve plant operational performance and profitability, but this must not be done at an increased risk of causing injury or death. How do you know whether your systems are sufficient to fulfil your plant safety obligations? How do you prove that you have applied the right judgements and implementation techniques to achieve an acceptable level of risk?

By Simon Coombs, Capula, UK

Safety cannot be compromised. Creating safe, reliable plant operation is an essential necessity for major plant operators. As well as establishing safe workplaces in the power generation industry by ensuring safe systems of work are followed, management also has to ensure that often highly complex plant is controlled in a safe way. When it goes wrong, the result can be catastrophic.

To help ensure this does not happen and to comply with evolving safety standards and regulations, management teams are increasingly incorporating safety specifications into their requirements when they look to replace or upgrade plant control systems and computerized management information solutions. This growing demand and a heightened awareness is fuelling a revolution in safety-related technologies, increasing the reliance being placed on smart equipment, integrated control and safety systems, and subsystems.

Modern technologies

Solutions that are built using modern technologies can be used to improve safety, but they need to be designed, implemented, tested and maintained to a high quality that matches the required level of safety integrity. The standards that are being adopted as best practice in most industries in the absence of an industry specific one is BSEN 61508, the international standard for functional safety of electrical, electronic and programmable electronic safety systems, and BSEN 61511, which is specifically for the process control industry.

Since the mid-1980s, there has been an increasing reliance on programmable safety systems in power generation. More recently, safety specifications are creeping into control systems requirements. By adopting BSEN 61508 as best practice, the power generation industry is looking to put in place a standard that will mitigate concerns over safety.

The reason why such a standard is needed is clear. Every plant owner has a legal responsibility to apply due diligence to the issue of plant safety and to ensure that all possible steps have been taken in the design of process plant to eliminate, as far as possible, any hazards that could cause injury or death to personnel. This need has always existed, but apart from the general desire by all parties to make the workplace safer, the Health and Safety Executive (HSE) in the UK is taking a greater interest in the subject of functional safety because several high-profile industrial accidents have occurred there recently and there is a growing culture of litigation.

Where intrinsic design safety features cannot completely protect against a potential hazard, it often falls on the control and automation system to perform a safety function. Such a function is called safety-related and describes the action of the safety system to detect a potential hazard and take action to prevent it from occurring (i.e. prevent, trip or shut down the process). The design and implementation of a safety function must therefore be carried out against stringent standards to ensure that in the event that it is called on, we can, as far as is practical, be sure that it will work correctly.

The established way to ensure the functionality of the safety system is to mandate the use of a suitable safety design standard such as BSEN 61508. The responsibility falls on the owner or operator of the plant to correctly identify the safety functions involved and specify the level of integrity to be applied. They must also ensure that the system provider designs and implements the safety system to a specification in accordance with the standard.

This all sounds straightforward, but in reality there is much variation among the various parties involved in the understanding and interpretation of what is actually required to claim full compliance and competence in delivering safety systems. This could result in failure to correctly specify or implement a safety system, with the possible implication that it may fail to perform a safety function when called on to do so, with disastrous consequences, due to a fault in the system specification, the design or the testing of the installation. To help demonstrate competence, Conformity Assessment of Safety-related Systems (CASS) is a certification scheme set up and managed by all those sectors of industry with an interest in accredited certification to BSEN 61508. It is run in the UK under the national accreditation body scheme of the UK Accreditation Service (UKAS).

The scheme provides a rigorous and internationally acceptable structure under which certification of safety-related systems can take place. It ensures consistency in the assessment of both products and functional safety management systems and clarifies issues of interpretation with the generic standard. The scheme ensures transparency in the certification process, minimizes costs for clients and offers assistance in preparing the necessary technical files.

Good examples of safety systems in the power industry include Drax Power, which is refurbishing the main process control systems of the 660 MW generating units at Drax coal fired power station in North Yorkshire, UK. This project includes the replacement of the relay-based protection interlocking system that protects the boiler and turbine plant. This system is being replaced with a modern programmable safety system by Capula, a systems integrator with skills and capabilities in the design of safety-related systems.

Installation of a safety system at Drax power station in the UK during refurbishment of process control equipment
Click here to enlarge image

Scottish Power has also recently refurbished one of the process control systems at Longannet power station at Kincardine-on-Forth in Scotland. The refurbishment project was at the HP feed heater protection control systems on all four of the 600 MW generating units at the station. The system is vital for the safe operation of the turbine and feed water heating plant, which is why Scottish Power has classified it as a safety system. The safety lifecycle used by Capula on this critical project will help to ensure that all the obligations under BSEN 61508 are fully discharged.

The projects described above demonstrate how leading UK energy suppliers in the power generation market are applying the BSEN 61508 guidelines for safety related systems.

System design

The design of a safety system is a key part of its life-cycle. The equipment under control should include all items which are involved in performing the safety function: the plant sensor(s) that detect safe or unsafe conditions, the safety system logic function which determines when a safety function should be instigated, and the safety actuator, which is the prime actuating device to prevent or trip the process to make it safe.

Simple logic functions can be achieved by means of a hardwired system based on relay technology. However, where the logic becomes more involved, the configuration of a relay-based system becomes too complex and inflexible to design and implement, and may in itself be inherently unsafe. In such instances, the safety logic becomes much easier to implement in a programmable safety controller.

Traditionally, specialist manufacturers have supplied safety platforms. But with the increasing focus on lower cost programmable safety solutions, there are many new products available from leading automation equipment suppliers that can be used to create quite sophisticated safety systems. Some have been designed specifically for this task, while others are adaptations of standard process controllers.

In all cases, the first step in the design of a safety system involves the selection of a suitable certified safety system product. Safety controllers, by their very nature, are based on microprocessor technologies. These products consist of hardware and software components – such as electronic circuits and operating systems – that have been designed and manufactured to minimize the chance of internal errors causing an unsafe operation. It is normal for the supplier to obtain independent verification of the integrity of the product from organizations such as TÜV.

The certification by a recognized body is usually a key marketing attribute. Unfortunately, different products achieve different levels of integrity and have different features and functions. Approval bodies must state the results of the tests, state any conditions of use and make recommendations for the safe use of the products. The designer of the system must scrutinize the manufacturer’s safety manual and make a decision on the most appropriate safety system platform. Once this is done, the system architecture can be designed. Given that most projects contain process control, automation and safety functions – non-safety related functions and safety-related functions – a key design decision is whether to combine all functions into one controller or to segregate safety from non-safety functions in separate controllers. Both solutions are viable and each has its advantages. Figures 1 and 2 illustrate the two architectures.

Segregated system architecture
Click here to enlarge image


Combined system architecture
Click here to enlarge image

Some manufacturers provide products that can include both safety and non-safety functions. Special measures are made in their design to ensure that non-safety functions cannot interfere with safety functions. Those products that cannot do this may not be suitable.

The advantage of a combined system solution is that it is usually initially lower in cost because its hardware complexity is lower. A disadvantage is that once commissioned, any changes required to the process control system (i.e., the non-safety system) may be severely restricted because they will have to be implemented in a safety controller platform. This makes changes difficult to implement, expensive to carry out and, in some cases, require the plant to be shut down. Segregated systems avoid this restriction. By separating out only those functions that are safety related, they simplify the design and testing of the safety system. Future process modifications can be done without affecting the safety lifecycle.

A further consideration is that of system availability. Where high availability is a requirement – almost mandatory on a power station application – dual redundant components can be built into the architecture design, but this can sometimes limit the selection of products.

Clearly, there is a responsibility for both the plant operator and the solution supplier to comply with the BSEN 61508 guidelines. However, the standards can only be effective if they are used by competent organizations that understand how to implement them. Contracting with organizations that have relevant safety competency is fundamental to the provision and operation of safe plant systems. This is not always as easy as it seems, particularly in highly technical areas, where technologies are developing at an astonishing rate.

An essential requirement is that all individuals working on safety-related systems are competent and qualified safety practitioners for the role that they fulfill. Competence is demonstrated by assessment and appraisal of individuals in accordance with recognized guidelines.

The pace of change in this safety technology arena demands that power generation operators take care when they select suppliers for safety systems. They also need to train their own employees too so that they are knowledgeable of and up to date with the safety technology and jargon and can confidently select and employ a competent safety system supplier.

Getting it right

The successful implementation of a system to BSEN 61508 relies on several key issues. The project must be rigorously analyzed and specified by the plant owner to identify the potential hazards, the requirements for safety functions and additional external issues. This specification should include a clear description of the required safety functions, safe mode of operation and the required safety integrity level (known as the SIL rating). The safety requirements specification should be clearly described, understood and not open to interpretation.

Traceability must exist between the requirements and the design documentation to show that all functions have been properly transferred through, and observance of the guidelines must continue after commissioning, in line with the guidelines, i.e., regular proof testing and no unauthorized changes. A safety certificate would normally be supplied that details the safety argument and requirements for ensuring the safe operation and maintenance of the system over time.

Ariel view of Drax power station, which is the UK’s largest coal fired plant (source: Drax Power)
Click here to enlarge image

The system design for both hardware and software should be carefully done to ensure the safety integrity is realized in all modes of operation. As well as using suitable products, the design and implementation processes should be proven as compliant. All staff involved in the process should be suitably qualified, experienced and capable of carrying out the required tasks.

Full compliance with BSEN 61508 guidelines should be achieved throughout the entire project lifecycle, and the system must be thoroughly and robustly verified, assessed and validated. The operators and engineering staff who operate and maintain the system should also be suitably trained and understand the safety implication of any actions they take. In an ideal situation, the system should be developed and installed by a supplier that can demonstrate competence of its management systems in meeting the BSEN 61508 requirements. Typically, this could be demonstrated by that organization being independently assessed and certified by an accredited body under the CASS scheme.

By ensuring a proven and structured approach to safety systems, management can be confident that it can achieve performance, profitability and the right level of risk, to ensure a safe environment for its staff and members of the public.